By Nicole DiGiose, content editor
The attack works against all modern protected Wi-Fi networks. Image source: Pixabay.
Wi-Fi, the wireless data transfer technology that we use on a daily basis, is in trouble. The WPA2 security protocol, a standard for Wi-Fi security that’s used on nearly every Wi-Fi router, has reportedly been cracked .
Understandably, you’re likely wondering if this affects you. Unfortunately, the short version of the story is that, if your device supports Wi-Fi, it’s most likely affected. Why? Like many people, if you’ve set up a home Wi-Fi network, you’ve encountered one or more screens concerning WEP and its successor, WPA2. Both are security protocols created by the Wi-Fi Alliance to keep your data safe from prying eyes. A problem with the WPA2 standard means that any network using it could be broken into, and once that happens, anything on the network is exposed, meaning that hackers could snoop on the traffic being sent over to them.
According to an advisory by US-CERT, via Ars Technica , there are “several key management vulnerabilities” in WPA2, allowing for “decryption, packet replay, TCP connection hijacking, HTTP content injection.” The worst part is that these are protocol-level issues, meaning that “most or all correct implementations of the standard will be affected.” The details on the security exploit, called KRACK, or key reinstallation attacks, were recently released on krackattacks.com .
The statement released by krackattacks.com said that an attacker within range of a victim can exploit WPA2’s weaknesses by using KRACKs. Attackers can use this attack technique to read information that was previously assumed to be safely encrypted. “This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on,” the statement read. “The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data.” An attacker might be able to inject ransomware or other malware into websites, for example.
Because the weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations, any correct implementation of WPA2 is likely affected. According to KRACK Attacks’ website, to prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it’s probably affected, as Android, Linux, Apple, Windows, OpenBSD, MediaTek, and Linksys were affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC or contact your vendor.
Below is a video by YouTube user Mathy Vanhoef of the exploit hitting an Android phone.
“Our main attack is against the 4-way handshake of the WPA2 protocol,” read krackattacks.com . “This handshake is executed when a client wants to join a protected Wi-Fi network and is used to confirm that both the client and access point possess the correct credentials (e.g., the pre-shared password of the network).” At the same time, the 4-way handshake negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, modern protected Wi-Fi networks use the 4-way handshake, which implies that these networks are affected by the attack. The website also said that the attack works against personal and enterprise Wi-Fi networks, against the older WPA, the latest WPA2 standard, and even against networks that only use AES.
In what seems to be one of the biggest online security threats ever, what are some ways to protect your data moving forward? If you care about security, you should steer clear of Wi-Fi until the issue is resolved. At the very least, you should use HTTPS connections whenever possible, and a secure VPN might add an extra layer of security. It would also be wise to make sure that all of your devices are up to date, and you should also update the firmware of your router. If you have suggestions, leave them in the comments section below.
For additional information, visit krackattacks.com .
Advertisement
Learn more about Electronic Products Magazine
